Creating ZFS home filesystems from Linux
Sometime ago i did post this on ZFS discuss, and Darren J Moffat gave me the idea to use SSH to create the home directories on the solaris server. So, i did implement that solution, and here i will put the results, so other users can use it (if they are crazy like me)…
As you could see in my post, i need to create the home directories (ZFS filesystems), from Linux clients (NFS). I have wrote other PAM module to handle users login on GNU/Linux systems(pam_hostscheck), and for this solution i did want to create a more generic one. I did find a good PAM module (pam_make, written by Thorsten Kukuk) on the web, that could be (almost) exactly what i did want. So, i did some changes in that module, and here you can download the source code for the patched version.
The overall steps are:
ON CLIENTS:
1) Install the pam_make (patched) module;
2) Edit the “/etc/pam.d/system-auth” file to add the “pam_make” module and remove the “pam_mkhomedir”;(just comment it)
3) Create the “Makefile” and the “criahomecliente” files under “/etc/pam_make.d” directory;
4) Create private/pub ssh keys to login on the server without password;
5) Install the private key and the RSA host key;
ON SERVER
6) Create a user to just do the filesystem creation job;
7) Disable the login for that user (on console);
8) Install the public key( generated on step 4 above), under the “.ssh” directory, in the home directory of that user (you need configure ssh to key auth too);
9) Change the shell for the user you just have created, to the script (criahomeservidor) that will do the job;
10) Add the profile “ZFS File System Management” to that user;
PS.: I’m assuming that the “/home” filesystem is already exported on the Solaris NFS server (sharenfs=on). So, the user’s home directories will be automatically exported by inheritance. The automounter configuration is beyond the scope of this howto, but it needs to be configured on the clients. Basically you will need two configuration files: auto.master and auto.home.
Now, let’s see each step more in depth…
After the pam_make’s compilation you need to move the “pam_make.so” library to the /lib/security/ directory. You can use the “make install” option, but if you don’t, remember to strip that file.
If you use a GNU/Linux distribution that uses “system-auth” for a generic configuration of the PAM stack, you just need add the following line to the “session” phase (/etc/pam.d/system-auth):
session optional /lib/security/pam_make.so debug /etc/pam_make.d
PS.: Remember that you will need to remove the “pam_mkhomedir” module from that file.
The next step is create a simple “Makefile” in the /etc/pam_make.d directory, here you can see an example:
################################################################### #--------[ Makefile para execucao do modulo pam_make.so ]---------# #--------[ https://www.eall.com.br/blog byLeal. ]---------# ################################################################### PROGRAM_AUX=/etc/pam_make.d/criahomecliente criarHome: ${PROGRAM_AUX} ${USER} ${HOMEDIR} ${USERID} ${MYHOSTNAME}
The lines starting with “#” are just comments, write whatever you want… maybe you can leave like mine, so if you don’t speak portuguese, will make no sense at all (I speak, and it does not).
You need to create a private/pub key to authenticate without password, i did put it in /etc/ssh/id_dsa, and the command to generate it is:
ssh-keygen -b 1024 -t dsa
Just hit ENTER three times, and you will have the id_dsa and id_dsa.pub in your $HOME/.ssh directory. So you can move the id_dsa file to the /etc/ssh/ directory.
Another needed step is create a known_hosts global file to avoid the “(yes/no)” SSH prompt. I have made this just creating a brand new .ssh/known_hosts in my home and connecting to the server using my user. After that, i just move it to the /etc/ssh/ssh_known_hosts file. The last procedure in the client machine is create the PROGRAM_AUX script. Here you can download mine.
PS.: Remember to change the HOMEUSER and HOMESERVER variables on that script, and make it executable.
That’s it, for the clients the confiuration is done.
On the server we must to create a user for that purpose, name it whatever you want, but pay attention for three things:
1) The shell for that user must be the script/program that will do the ZFS home filesystem creation. Here you can download the server perl script that i have wrote.
2) You must execute: passwd -N useryoucreated.
3) I did put the script on the home directory of that user, and the home directory is located on the same ZFS pool as the user’s home directory. This way, the needed environment will follow the home zpool in a cluster configuration. And in a cluster environment, you must edit the two passwd/shadow files.
PS.: Another “tip” is use the same “/etc/ssh” directory for all servers in the cluster. I think this will avoid different “host keys”…
Now, just copy the id_dsa.pub file that you have created to the /home/useryoucreated/.ssh/authorized_keys, and to give the ZFS administrative profile to that user:
usermod -P “ZFS File System Management” useryoucreated
If you look carefully the script “criahomeservidor“, you will see that there are some “comments” in some variables, and in the second “run_command”. That’s because the “chown” command is not working yet, we need to do a configuration the lets the user execute that action. I will update that procedure soon.
Troubleshooting tips:
1) First you need to look in the “/var/log/messages” file on the Linux client. If there is no problem with logging facility, there should have some insight about the problem.
2) In case there is nothing on the log file, you can execute the “criahomecliente” script by hand. Example:
/etc/pam_make.d/criahomecliente someuser /home/someuser someuseruid linuxservername
So you must see the error messages in your terminal.
3) Now, if the error is the execution on the server side (Solaris), you can execute the following line from your linux client:
/usr/bin/ssh -vi /etc/ssh/id_dsa -l useryoucreated yoursolarisserver.yourdomain someuser /home/someuser someuseruid linuxservername
And pay attention for the error codes, like the example:
... debug1: Next authentication method: publickey debug1: Trying private key: /etc/ssh/id_dsa debug1: read PEM private key done: type DSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending command: someuser /home/someuser someuseruid linuxservername debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 2 <---------- HERE ...
Each phase of the scripts criahome{cliente,servidor} has distinct error codes.
That's all.
Success in business requires training and discipline and hard work. But if you’re not frightened by these things, the opportunities are just as great today as they ever were.
I just want to tell you that your blog is very interesting, bookmarked